Fossil

Check-in [52b9caa5]
Login

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:Coding style tweak.
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | login-with-email
Files: files | file ages | folders
SHA3-256:52b9caa5027e717f02deb6d012ee2a2d99cd968d151f6e4d7b87d1fa8b88cc1b
User & Date: mistachkin 2018-08-11 23:51:03
Context
2018-08-12
10:42
Merge the fix to the login-by-email-address patch. check-in: 9b4e157b user: drh tags: trunk
2018-08-11
23:51
Coding style tweak. Closed-Leaf check-in: 52b9caa5 user: mistachkin tags: login-with-email
16:59
Fix to checkin [8c91be8b], which was intended to allow the user to log in with the email found in the contact info field of the user table. That checkin is fine as far as it goes, but it only works if the caller doesn't subsequently try to use the passed user name for anything else, since it isn't actually a user name. This checkin causes the low-level login checking function to re-point the user name pointer at the actual login name discovered while scanning for matching email addresses. check-in: 33522ff4 user: wyoung tags: login-with-email
Changes
Hide Diffs Side-by-Side Diffs Ignore Whitespace Patch

Changes to src/login.c.

   215    215   ** <human@example.com>".  In that case, *zUsername will point to that
   216    216   ** user's actual login name on return, causing a leak unless the caller
   217    217   ** is diligent enough to check whether its pointer was re-pointed.
   218    218   **
   219    219   ** zPassword may be either the plain-text form or the encrypted
   220    220   ** form of the user's password.
   221    221   */
   222         -int login_search_uid(const char **zUsername, const char *zPasswd){
   223         -  char *zSha1Pw = sha1_shared_secret(zPasswd, *zUsername, 0);
          222  +int login_search_uid(const char **pzUsername, const char *zPasswd){
          223  +  char *zSha1Pw = sha1_shared_secret(zPasswd, *pzUsername, 0);
   224    224     int uid = db_int(0,
   225    225       "SELECT uid FROM user"
   226    226       " WHERE login=%Q"
   227    227       "   AND length(cap)>0 AND length(pw)>0"
   228    228       "   AND login NOT IN ('anonymous','nobody','developer','reader')"
   229    229       "   AND (pw=%Q OR (length(pw)<>40 AND pw=%Q))"
   230    230       "   AND (info NOT LIKE '%%expires 20%%'"
   231    231       "      OR substr(info,instr(lower(info),'expires')+8,10)>datetime('now'))",
   232         -    *zUsername, zSha1Pw, zPasswd
          232  +    *pzUsername, zSha1Pw, zPasswd
   233    233     );
   234    234   
   235    235     /* If we did not find a login on the first attempt, and the username
   236    236     ** looks like an email address, then perhaps the user entered their
   237    237     ** email address instead of their login.  Try again to match the user
   238    238     ** against email addresses contained in the "info" field.
   239    239     */
   240         -  if( uid==0 && strchr(*zUsername,'@')!=0 ){
          240  +  if( uid==0 && strchr(*pzUsername,'@')!=0 ){
   241    241       Stmt q;
   242    242       db_prepare(&q,
   243    243         "SELECT login FROM user"
   244    244         " WHERE find_emailaddr(info)=%Q"
   245    245         "   AND instr(login,'@')==0",
   246         -      *zUsername
          246  +      *pzUsername
   247    247       );
   248    248       while( db_step(&q)==SQLITE_ROW ){
   249    249         const char *zLogin = db_column_text(&q,0);
   250    250         if( (uid = login_search_uid(&zLogin, zPasswd) ) != 0 ){
   251         -        *zUsername = fossil_strdup(zLogin);
          251  +        *pzUsername = fossil_strdup(zLogin);
   252    252           break;
   253    253         }
   254    254       }
   255    255       db_finalize(&q);
   256    256     }    
   257    257     free(zSha1Pw);
   258    258     return uid;